Welcome back to our Triage Thursday update blog series. This week is a shorter post with just a few new family detections to cover. You can find more details of them below.
- Updated static detection for Xorist ransomware
- Family signatures for RMS RAT
- Updated detection for Amadey trojan
- New detection for VKeylogger
- New detection for CyberGate RAT
Earlier this week we also announced our new Triage integrations for Splunk Phantom and Cortex XSOAR, to help you incorporate sandbox reports into your existing analysis workflows. If you missed that announcement and want to find out more the blogpost is available here.
We’ll have more news on some bigger features we’re working on over the coming weeks. Meanwhile if you have any feedback on Triage or particular samples please do get in touch! You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account.
Xorist Ransomware Update
Xorist is a family which has been around for a few years, being sold to various threat actors as a framework which can be used to create a custom version of the ransomware. As such indicators like file extensions tend to change quite a bit between campaigns, but the basic functionality and the note dropped with ransom instructions are generally very similar.
We originally added detection for Xorist back in September, but we recently noticed some samples which weren’t being caught by our signatures. Upon inspection it was apparent that this was targeting Czech-language users and not being correctly detected by our signatures.
To resolve this, we have now added additional static detection for Xorist which should catch indicators regardless of the language being used. We’ll keep monitoring the family for future updates and tweak things as needed.
RMS (Remote Manipulator System) is a legitimate administration tool developed by Russian software firm TektonIT. As with many similar programs it has been observed in use as a malicious RAT, reportedly by groups including TA505. Cofense also reports that it has been deployed alongside Dridex in the past.
We have added some signatures to detect the family and apply the relevant tag.
Amadey was first reported back at the start of 2019. It is a trojan/botnet which targets non-Russian users and is available for sale through online forums.
Infected machines are incorporated into a botnet which is used for sending spam emails, carrying out DDoS attacks etc. The malware can also deploy additional payloads on a system - for example in May 2020 ZScaler reported that it was pushing the Remcos RAT.
We recently observed some discussion on Twitter about a keylogger which was being called VKeylogger.
This looks like another one of what @ViriBack found:https://t.co/GLW1crVifX— James (@James_inthe_box) November 20, 2020
VKeylogger so far just by looking at it.
Based on these reports we gathered the samples and have developed some initial family signatures to ensure proper detection. Credit goes to @JAMESWT_MHT, @James_inthe_box and @ViriBack for the samples.
CyberGate is another relatively old malware family, with CitizenLab referencing it going back as far as 2008.
It is a fully featured RAT/backdoor, providing an attacker with complete control of an infected machine. Built-in capabilities include: capturing screenshots, audio and video; logging keystrokes; downloading and executing additional files; or a full command-line interpreter.